Good morning folks! I have some updates on the threat side of things that I think are interesting and might help in conversations with your friends and colleagues:

Ugh, Ransomware. Again.

An older adventurer is running from a massive fire, indicating that he was not ready for just how bad it would be.
That went about as well as expected…

We hear tons about recent breaches concerning Okta, Solarwinds, and MoveIT – the tempo is not slowing down. But do you know what all of the threat actors seem to have in common? They combine TTPs but one of their major ways of delivering impact is via Ransomware. Whether it be encryption of the contents, threats to leak it, or both, Ransomware is still the major concern. NCC Group released a report detailing that, and it sees an 153% growth YoY in ransomware incidents, with 76% of them being the “double extortion” variety. Lockbit 3.0 and BlackCat were joined by LostTrust and RansomedVC in the leaderboard. The Cl0p folks (MoveIT attackers) dropped out of the running. Poor guys! FWIW, most of these teams are for-hire, so even State-sponsored attacks may leverage them, and may leverage 2 at a time, just in case one fails – hackers are belt-and-suspenders types of people apparently. Keep talking about it folks, and educate your stakeholders on it!

  • Want to know more?
  • Want to get nerdy?
    • LockBit 3.0 – general purpose, but just yesterday was announced to have hit Boeing
    • LostTrust – hit 53 known victims, mostly healthcare and legal, since June
    • BlackCat/ALPHV – seems to be the successor to REvil and a definitely Russian threat actor
    • RansomedVC – who seems to be a little worried and trying to exit before getting nabbed

Ugh, AI. Again?

AI is getting a lot of press, and I think it speaks to just how much is at stake. I am no expert, but I do think that figuring out how to put up guard rails is a great idea. The Biden Administration just issued a pretty high-level but ambitious Executive Order that will attempt to cover many aspects, from security to safety, privacy, civil rights, workers rights, and even protecting innovation. I think it is a good first step, but far from final – it reads more like an agenda-setter than something of great detail. If you want to be up on the times and know more, here are some resources that help me a lot:

  • Want to read more? This expert panel did some awesome write-ups.
  • Want to get nerdy? Read the EO’s fact sheet and dive into more if you like.

Things I am keeping an eye on myself?

  • Don’t sleep on this vCenter CVE – it is a doozy.
  • The SEC is going after the former Solarwinds CISO for fraud. I am pro-CISO, but there are limits. Most orgs are not giving their CISO’s enough power to make real change, and instead are looking for scapegoats (someone on which to pin all of their risk). But the last thing you do is orchestrate a cover-up.
  • While it goes unsaid, government agencies are always an enticing target – we need to better fund and focus on protecting them. Add Philly to the list 🙁
  • MGM seemed to get a ton of flack for their breach, but honestly seemed very transparent. Caesars seemed to avoid that, but as Matt points out in this blog post, it looks a lot worse for them in retrospect. The 4-day requirement the USG is pushing for on reporting breaches might seem rough, but would help.

I hope you all have a great weekend, and please feel free to reach out if you need to shoot the breeze about any of the above!